This presentation discusses how to detect phishing and provides some background on using a measured security awareness service as a continuing education tool. The presentation gives examples of how phishing can be used in a constructive manner, to give end users a real-life experience, dealing with phishing and spear phishing attacks.
2. Overview
Phishing Background
Threat to IT on campus
Phishing education
Tricks employed
Sample phishing emails unique to UWMadison
Spotting the phish, after the click
How measured security awareness works
Conducting a campaign in your department
Q&A session
1/10/2014
UNIVERSITY OF WISCONSIN
2
3. Phishing Defined
Phishing is the act of attempting to
acquire information such as usernames,
passwords, and credit card details (and
sometimes, indirectly, money) by
masquerading as a trustworthy entity in
an electronic communication, usually
email.
1/10/2014
UNIVERSITY OF WISCONSIN
3
5. Why Phishing Is Such a Threat
UW-Madison IT infrastructure is
designed to protect the campus
computing assets with many technical
controls
However, this persuades hackers to
pursue access via alternate means, often
choosing to exploit the human factor
1/10/2014
UNIVERSITY OF WISCONSIN
5
6. Your Password Is the Key to the
Kingdom
If an attacker can
persuade you to give
them your
password, they can
evade all the
controls put in place
to protect sensitive
systems
1/10/2014
UNIVERSITY OF WISCONSIN
6
8. I am Too Smart to Fall For a
Trick Like Phishing
Most large organizations have a
phishing participation rate of around
10%
This rises when the population become
the subjects of Spear Phishing, which is
phishing email designed specifically for
the recipient
1/10/2014
UNIVERSITY OF WISCONSIN
8
9. Phishing Relies Upon Social
Engineering
The practice of deceiving someone,
either in person, over the phone, or
using a computer, with the express
intent of breaching some level of
security either personal or professional.
Social engineering techniques are
considered con games which are
performed by con artists. The targets of
social engineering may never realize
they have been victimized.
1/10/2014
UNIVERSITY OF WISCONSIN
9
10. Tricks Used By Expert Phishers
Socially Aware: Mining of information
about the target from publicly available
resources, such as Facebook, property
records, or even CCAP
Context Aware: Make reference to an
activity you are likely to engage in, such
as Amazon.com, or UPS package receipt
1/10/2014
UNIVERSITY OF WISCONSIN
10
11. Specific Examples of Complex
Phishing Attempts
Baiting: Placing a USB flash drive or CD,
with malware on it, in a public place
1/10/2014
UNIVERSITY OF WISCONSIN
11
12. Specific Examples of Complex
Phishing Attempts
QR Code Curiosity: Embedding
malicious code within a QR code, on a
printout posted to a community bulletin
board
1/10/2014
UNIVERSITY OF WISCONSIN
12
13. Specific Examples of Complex
Phishing Attempts
Out of Office, Out of Control: Taking
advantage of an autoresponder,
leveraging specific knowledge to exploit
co-workers
1/10/2014
UNIVERSITY OF WISCONSIN
13
14. What Would Happen If You
Received This Email?
1/10/2014
UNIVERSITY OF WISCONSIN
14
15. What Would Happen If You
Received This Email?
1/10/2014
UNIVERSITY OF WISCONSIN
15
16. Tips To Spot Social Engeering
Within a Phishing Attempt
Asks you to verify a sensitive piece of
information
A sense of urgency is implied in the message
An overt or implied threat may be present
Flattery is used to get you to drop your guard
Use, and sometimes overuse of organizational
knowledge in employed
A bribe or reward for your “help” may be
offered
1/10/2014
UNIVERSITY OF WISCONSIN
16
17. Have You Ever Been
Successfully Phished?
1/10/2014
UNIVERSITY OF WISCONSIN
17
18. Spotting the Phish After the
Click
Website address looks odd or incorrect
IP address shows in address bar
Multiple pop-ups appear on top of
legitimate website window
Website contains spelling or grammar
errors
No SSL lock is present on what should
be a secure site
1/10/2014
UNIVERSITY OF WISCONSIN
18
19. Can You Spot the Issue Here
1/10/2014
UNIVERSITY OF WISCONSIN
19
20. Combat Phishing Attempts
Never give away personal information,
especially username and password
Don’t let curiosity get the best of you
Look for the tell-tail signs we have
discussed today
There are no situations which justify
exceptions
If something sounds too good to be
true…
1/10/2014
UNIVERSITY OF WISCONSIN
20
21. Measured Security Awareness
Learning Through Doing
Studies demonstrate that people tend to
forget formal education, over time
The best way to learn and remember, is
through experience
Measured security awareness is the
ability to engage in realistic training
within a safe, controlled and blame free
environment
1/10/2014
UNIVERSITY OF WISCONSIN
21
22. UW-Madison’s Measured
Security Awareness Program
The Division of Information Technology
has purchased a vendor solution which
enables us to conduct measured security
awareness campaigns
The system is safe
The system does NOT collect personal
information such as who clicked on links,
etc. Information is only reported in
aggregate
DoIT has been internally phishing 850
internal staff for over a year
1/10/2014
UNIVERSITY OF WISCONSIN
22
23. Results So Far, at DoIT
At first, people were apprehensive
The beginning phishes were easy
After people get accustomed to it,
attitudes became more accepting
After a year, most people are enjoying
the challenge
Most importantly, many fewer people
are falling for the phish
1/10/2014
UNIVERSITY OF WISCONSIN
23
24. This Proposal Smells Phishy
Over the next six months, you will be
presented with 12 phishing attacks
Some will be easy to detect, others will
be more sophisticated and difficult to
detect
We may even go on a Whaling
Expedition! Do you know that that is?
Participation rate will be collected (in
aggregate) and summarized in a report
1/10/2014
UNIVERSITY OF WISCONSIN
24
25. Q&A Session
Are you ready for a
phishing expedition?
Nicholas Davis
ndavis1@wisc.edu
1/10/2014
UNIVERSITY OF WISCONSIN
25